Any need for setting NSEC3 salt and iterations?

Cascade
1

RFC 9276 (BCP 236) specifies that for NSEC3 no extra iterations and empty salt is best current practice. For this reason, the alpha version of Cascade does not have support for setting these in policies.

That raises the question: do people need to set iterators and or salt or can we leave it out?

If setting the salt is required then the next question becomes, is there a need for automatic salt rotation?

Adding support for setting iterations and salt is easy enough. Automatic salt rotation may require optimized code for generating new NSEC3 hash chains.

2

After thinking briefly about it, and looking at how I use things, Iā€™d say: yes, you can leave it out. I cannot think of a situation where I would go against the BCP. (And I dislike NSEC3 altogether, so I hope you have an NSEC option as well. :wink: )

1 Like
3

After going through the trouble of implementing NSEC3 with and without opt-out, we have force it on everybody. :supervillain:

(Of course, NSEC is supported and is the default.)

1 Like